You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by as...@apache.org on 2020/02/26 18:34:55 UTC
[camel-k] 12/15: feat(buildah): Add security context capabilities
required by Buildah on OpenShift
This is an automated email from the ASF dual-hosted git repository.
astefanutti pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/camel-k.git
commit ee07e9cec69eef14f1b9116dbd1433d6e75b39ca
Author: Antonin Stefanutti <an...@stefanutti.fr>
AuthorDate: Wed Feb 26 10:44:55 2020 +0100
feat(buildah): Add security context capabilities required by Buildah on OpenShift
---
pkg/trait/builder.go | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/pkg/trait/builder.go b/pkg/trait/builder.go
index 4d9214a..76df2ac 100644
--- a/pkg/trait/builder.go
+++ b/pkg/trait/builder.go
@@ -175,11 +175,9 @@ func (t *builderTrait) builderTask(e *Environment) *v1.BuilderTask {
BaseTask: v1.BaseTask{
Name: "builder",
},
- Meta: e.IntegrationKit.ObjectMeta,
- BaseImage: e.Platform.Status.Build.BaseImage,
- Runtime: e.CamelCatalog.Runtime,
- //Sources: e.Integration.Spec.Sources,
- //Resources: e.Integration.Spec.Resources,
+ Meta: e.IntegrationKit.ObjectMeta,
+ BaseImage: e.Platform.Status.Build.BaseImage,
+ Runtime: e.CamelCatalog.Runtime,
Dependencies: e.IntegrationKit.Spec.Dependencies,
//TODO: sort steps for easier read
Steps: builder.StepIDsFor(builder.DefaultSteps...),
@@ -294,6 +292,16 @@ func (t *builderTrait) buildahTask(e *Environment) (*v1.ImageTask, error) {
Args: []string{strings.Join(args, " && ")},
Env: env,
WorkingDir: path.Join(builderDir, e.IntegrationKit.Name, "context"),
+ // This requires the builder service account to have privileged SCC on OpenShift
+ // It should be removed when Buildah fully supports unprivileged build
+ SecurityContext: &corev1.SecurityContext{
+ Capabilities: &corev1.Capabilities{
+ Add: []corev1.Capability{
+ "SETGID",
+ "SETUID",
+ },
+ },
+ },
},
BuiltImage: image,
}, nil